In both civil and criminal enforcement proceedings, 2017 was perhaps most notable for the cases brought against individual health care providers and small physician practice owners.  Among the factors that may have resulted in the uptick in cases against individuals are the Yates Memo issued in late 2015, improved and increased reliance on sophisticated data analytics, and the aggressive focus on opioid addiction and its causes. Continue Reading Health Care Enforcement Review and 2018 Outlook: Criminal and Civil Enforcement Trends

The U. S. Department of Justice (DOJ) issued a memo dated January 4, 2018 regarding federal marijuana enforcement policy, directing all U.S. Attorneys to enforce the laws enacted by Congress and to follow well-established principles when pursuing prosecutions related to marijuana activities.  Attorney General Jeff Sessions’ memorandum rescinds multiple guidance documents issued during the Obama administration, such as the Cole Memo  dated August 29, 2013, and announces a” return to the rule of law.”  Continue Reading Sessions Memo Resets Federal Marijuana Enforcement Policy

Patient assistance programs have been a staple within the health care industry for over a decade.  These programs, operated by 503(c)(3) charities, may receive funding from pharmaceutical manufacturers or other providers to offer assistance to low-income patients in affording their medications, copayments, deductibles, premiums, or other related services.   The Office of the Inspector General (OIG) and the Centers of Medicare & Medicare Services (CMS) have acknowledged the role of provider- and manufacturer-supported charitable premium assistance and have established parameters for these charities to operate in compliance with the Anti-Kickback Statute.

Over the last two years, however, government scrutiny and enforcement related to charitable patient assistance programs has increased.   During this time, nearly a dozen pharmaceutical manufacturers and providers have publicly disclosed receipt of government subpoenas investigating their contributions to patient assistance charities.

These new investigations raise a number of questions when it comes to structuring relationships with patient assistance programs.  On May 16th, we will be holding a webinar to review these current investigations and outline what providers, payors, pharmacy benefit managers (PBMs), and pharmacies working with manufacturers and patient assistance programs need to know in light of these investigations.

We hope you join us!  For more information and to register for this webinar, please click here.

Last week the Health Care Compliance Association hosted its annual “Compliance Institute.”  Iliana Peters, HHS Office for Civil Rights’ Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR’s current and future endeavors.

Continuing Enforcement Issues

Ms. Peters identified key ten enforcement issues that OCR continues to encounter through its enforcement of HIPAA. These issues include:

  1. Impermissible Disclosures. HIPAA’s Privacy Rule prohibits covered entities and business associates from disclosing PHI except as permitted or required under HIPAA. Impermissible disclosures identified by Ms. Peters all center on the need for authorization, and include:
    • Covered entities permitting news media to film individuals in their facilities prior to obtaining a patient’s authorization.
    • Covered entities publishing PHI on their website or on social media without an individual’s authorization.
    • Covered entities confirming that an individual is a patient and providing other PHI to reporters without an individual’s authorization.
    • Covered entities faxing PHI to an individual’s employer without the individual’s authorization.
  2. Lack of Business Associate Agreements. OCR continues to see covered entities failing to enter into business associate agreements.
  3. Incomplete or Inaccurate Risk Analysis. Under HIPAA’s Security Rule, covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI). According to Ms. Peters, organizations frequently underestimate the proliferation of ePHI throughout their environment, including into systems related to billing, faxing, backups, and medical devices, among others.
  4. Failure to manage identified risks. HIPAA requires regulated entities to put in place security measures to reduce risks and vulnerabilities. According to the presentation, several OCR breach investigations found that the causes of reported breaches were risks that had previously been identified in a risk analysis but were never mitigated. In some instances, encryption was included as part of the remediation plan, but was never implemented.
  5. Lack of transmission security. While not required in all cases, HIPAA does require that ePHI be encrypted whenever it is deemed appropriate. The presentation identified a number of applications in which encryption should be considered when transmitting ePHI, including email, texting, application sessions, file transmissions (e.g., FTP), remote backups, and remote access and support services (e.g., VPNs).
  6. Lack of Appropriate Auditing. HIPAA requires the implementation of mechanisms (whether hardware, software or procedural) that record and examine activity in systems containing ePHI. HIPAA-regulated entities are required to review audit records to determine if there should be additional investigation. The presentation highlighted certain activities that could warrant such additional investigation, including: access to PHI during non-business hours or during time off, access to an abnormally high number of records containing PHI, access to PHI of persons for which media interest exists, and access to PHI of employees.
  7. Patching of Software. The use of unpatched or unsupported software on systems which contain ePHI could introduce additional risk into an environment. Ms. Peters also pointed to other systems that should be monitored, including router and firewall firmware, anti-virus and anti-malware software, and multimedia and runtime environments (e.g., Adobe Flash, Java, etc.).
  8. Insider Threats. The presentation identifies insider threats as a continuing enforcement issue. Under HIPAA, organizations must implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining such access. Termination procedures should be put in place to ensure that access to PHI is revoked when a workforce member leaves.
  9. Disposal of PHI. HIPAA requires organizations to implement policies and procedures that ensure proper disposal of PHI. These procedures must guarantee that the media has been cleared, purged or destroyed consistent with NIST Special Publication 800-88: Guidelines for Media Sanitization.
  10. Insufficient Backup and Contingency Planning. Organizations are required to ensure that adequate contingency planning (including data backup and disaster recovery plans) is in place and would be effective when implemented in the event of an actual disaster or emergency situation. Organizations are required to periodically test their plans and revise as necessary.

Upcoming Guidance and FAQs

OCR also identified upcoming guidance and FAQs that it will use to address the following areas:

  • Privacy and security issues related to the Precision Medicine Initiative’s All of Us research program
  • Text messaging
  • Social media
  • Use of Certified EHR Technology (CEHRT) & compliance with HIPAA Security Rule (to be release with the Office of the National Coordinator for Health Information Technology (ONC))
  • The Resolution Agreement and Civil Monetary Penalty process
  • Updates of existing FAQs to account for the Omnibus Rule and other recent developments
  • The “minimum necessary” requirement

Long-term Regulatory Agenda

The presentation also identifies two long-term regulatory goals to implement certain provisions of the HITECH Act. One regulation will relate to providing individuals harmed by HIPAA violations with a percentage of any civil monetary penalties or settlements collected by OCR, while the second will implement a HITECH Act provision related to the accounting of disclosures of PHI.

Audit Program Status

The presentation discussed the current status of OCR’s audit program. As we have previously discussed, OCR is in the process of conducting desk audits of covered entities and business associates. These audits consist of a review of required HIPAA documentation that is submitted to OCR. According to Ms. Peters, OCR has conducted desk audits of 166 covered entities and 43 business associates. Ms. Peters also used the presentation to confirm that on-site audits of both covered entities and business associates will be conducted in 2017 after the desk audits are completed. We will continue to follow and report on developments in the audit program.

Commentary

The list of continuing enforcement issues provides covered entities and business associates with a helpful reminder of the compliance areas that are most likely to get them in compliance trouble. Some of the enforcement issues may require HIPAA-regulated entities to revisit decisions that they previously made as part of a risk analysis. Transmission security (#5, above) is an example of such an area that may warrant reexamination. In the past, encrypting data was often too expensive or too impracticable for many organizations. However the costs of encryption have decreased while it has become easier to implement. A covered entity or business associate that suffers a breach due to transmitting unencrypted PHI over the internet will likely garner little sympathy from OCR going forward. The presentation is also notable for the long list of guidance and FAQs that OCR will be publishing, as well as their plan to issue regulations to address changes ushered in by the HITECH Act that were not captured by the 2013 Omnibus Rule. These regulations, particularly the regulations related to accounting for disclosures of PHI, could have a far-reaching impact on how covered entities and business associates comply with HIPAA in the future.

In this final installment of our Health Care Enforcement Review and 2017 Outlook series, we analyze health care enforcement trends gathered from 2016 civil settlements and criminal resolutions of health care fraud and abuse cases. Behind the headlines covering enormous recoveries in 2016, several themes are apparent.

The False Claims Act continued to generate large civil settlements.

Continuing the trend from recent years, the False Claims Act (“FCA”) remained the primary civil enforcement tool against health care providers as well as pharmaceutical, life sciences, and medical device companies, predominantly driven by qui tam FCA complaints filed by relators.  In fiscal year 2016, the Department of Justice obtained more than $4.7 billion in settlements and judgments from FCA cases, $2.5 billion of which it obtained from the health care industry.  Continue Reading Health Care Enforcement Review and 2017 Outlook: Significant Health Care Fraud and Abuse Civil Settlements and Criminal Resolutions

Earlier today, my colleagues Tom Crane and Larry Freedman released a Health Care Enforcement Defense Advisory regarding the Supreme Court’s long-awaited, unanimous decision in Universal Health Services v. United States ex rel. Escobar (“Escobar”). As they discuss in detail, the Court ruled that under certain circumstances the theory of “implied false certification” can give rise to liability under the False Claims Act (“FCA”).

The Court explained that FCA liability can attach when (1) “the claim does not merely request payment, but also makes specific representations about the goods or services provided,” and (2) the defendant’s “failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths.”  However, the Court also limited the scope of the FCA  by imposing a “rigorous” and “demanding” standard of materiality.

For more information and a discussion on what this decision might mean for health care enforcement defense, please click here.

Last week the Supreme Court heard oral argument in a False Claims Act (“FCA”) case in which the Court is considering the validity of the so-called implied false certification theory. This theory attaches FCA liability when a person submits a claim for payment notwithstanding a violation of an underlying law or regulation, but without a factually false claim form. Because of the massive volume of Medicare and Medicaid regulations that a provider could potentially violate, the case is significant. More than two dozen stakeholders weighed in with amici briefs.  Here we discuss some of the important questions raised in the oral argument. Continue Reading Justices Grapple with Limits of False Claims Act Liability in Implied Certification Cases

As we start a new year, let’s take a look back at a few hot topics that emerged in the managed care industry in 2015 and will likely be drivers of developments in 2016.

Industry Consolidation – The Changing Landscape

2015 was a year of significant activity for MCOs large and small. In addition to proposed mergers among some of the largest payors, smaller MCOs are also consolidating with other MCOs, as well as service providers, in an attempt to leverage purchasing power and integrate care models. As we discussed in our Pharmacy Industry year in review, consolidation reshaped the traditional PBM industry paradigms with a move away from stand-alone PBMs to MCO and provider-affiliated PBMs.

Competition Scrutiny

Moving into 2016, we will learn whether the proposed consolidations will be approved and whether the trend will continue. The government will also generally continue to scrutinize health care competition, paying close attention to the proposed mergers among Aetna/Humana and Anthem/Cigna. In early 2015, our colleagues highlighted the FTC-DOJ workshop examining health care competition where the agencies’ worked together to identify and examine the potential competitive implications of strategies currently used by providers and payors seeking to reduce costs and improve quality.

We are also beginning to see competition scrutiny expand beyond the regulatory agencies. For example, the House Judiciary Subcommittee on Regulatory Reform, Commercial and Antitrust Law held hearings examining competition in the PBM industry, while the Central District of Illinois District Court permitted a small regional hospital’s antitrust challenge to its largest competitor’s exclusive dealing contracts with payors to move forward. Continue Reading The Managed Care Industry – 2015 Year in Review

Over the past year, significant regulatory changes began to take shape that will have lasting effects on the laboratory industry for years to come. After publishing draft guidance regarding the regulation of laboratory developed tests (LDTs) in late 2014, the Food and Drug Administration (FDA) made clear in 2015 that it intends to move forward with its proposal next year, and the Centers for Medicare & Medicaid Services (CMS) published a proposed rule outlining the process for overhauling the Medicare Clinical Laboratory Fee Schedule (MCLFS) for the first time in over 20 years. In addition, laboratories faced more than their fair share of enforcement actions and other litigation, and this level of activity is likely to continue in 2016. Continue Reading Laboratories – 2015 Year in Review [VIDEO]

Last week, the Federal Trade Commission (“FTC” or “Commission”) authorized staff to file an administrative complaint and to seek in federal court a temporary restraining order and a preliminary injunction to block the proposed merger of Advocate Health Care Network (Advocate) and NorthShore University HealthSystem (NorthShore) in the Chicago area.  In the Matter of Advocate Health Care Network, Advocate Health and Hospitals Corporation, and NorthShore University HealthSystem, FTC Docket No. 9369 (December 17, 2015).  The FTC alleged that the combined entity would operate the majority of the hospitals in the North Shore area of Chicago, and control more than 50% of the general acute care inpatient hospital services. Continue Reading A Return to Evanston: FTC Revisits Old Ground in Yet Another Hospital Merger Challenge